System.Security.Cryptography.CryptographicException: The payload was invalid. - Azure Entra ID Logout failure

[gizmohd]

Which version of Duende IdentityServer are you using? 7.0.5

Which version of .NET are you using? 8.0

Describe the bug When using Azure Entra ID, as the upstream authentication, login works fine but when a user attempts to log out, the identity server throws an error

System.Security.Cryptography.CryptographicException: The payload was invalid. For more information go to https://aka.ms/aspnet/dataprotectionwarning

Expected behavior

User should be logged out successfully and without error...

Log output/exception with stacktrace

System.Security.Cryptography.CryptographicException: The payload was invalid. For more information go to https://aka.ms/aspnet/dataprotectionwarning
   at Microsoft.AspNetCore.DataProtection.Managed.ManagedAuthenticatedEncryptor.Decrypt(ArraySegment`1 protectedPayload, ArraySegment`1 additionalAuthenticatedData)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
   at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector protector, String protectedData)
   at Duende.IdentityServer.Infrastructure.DistributedCacheStateDataFormatter.Unprotect(String protectedText, String purpose) in /_/src/IdentityServer/Infrastructure/DistributedCacheStateDataFormatter.cs:line 100
   at Duende.IdentityServer.Infrastructure.DistributedCacheStateDataFormatter.Unprotect(String protectedText) in /_/src/IdentityServer/Infrastructure/DistributedCacheStateDataFormatter.cs:line 83
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleSignOutCallbackAsync()
   at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in /_/src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:line 38
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 51
   at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27
   at Microsoft.AspNetCore.Diagnostics.StatusCodePagesMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

Oidc Settings configuration for EntraID:

 auth.AddOpenIdConnect("oidc-adfs", "Corporate", options =>
 {
   options.RemoteAuthenticationTimeout = TimeSpan.FromMinutes(3);
   options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
   options.SignOutScheme = IdentityServerConstants.SignoutScheme;
   options.CallbackPath = "/signin-oidc-adfs";
   options.Authority = $"https://login.microsoftonline.com/{Configuration["Authentication:ADFS:TenantId"]}";

   options.ClientId = Configuration["Authentication:ADFS:ApplicationId"];
   options.Scope.Add("adfs");
   options.Scope.Add("email");
   options.Scope.Add("phone");
   options.Scope.Add("groups");
   options.Scope.Add("address");
   options.Scope.Add("profile");
   options.Scope.Add("openid");
   options.Scope.Add("groups.read");
   options.Scope.Add("user.read");
   options.GetClaimsFromUserInfoEndpoint = true;

 });

[RolandGuijt]

I suspect this has to do with compatibility issues with Microsoft's OpenIdConnect handler and not with IdentityServer.

Can you please try this configuration in a regular ASP.NET Core Web application (MVC e.g.) without IdentityServer and see if this still occurs? If it does you could try to use Microsoft's NuGet package for the identity platform instead of the generic OpenIdConnect handler.